Windows registry forensics
While forensic investigations, windows registry values are treasures. Although registry values can be accessed both through “regedit” UI and through “reg query” command, the power of a script to query and perform Windows registry forensic in code is much more. Python provides access to Windows registry through _winreg library. In this article I am going to review code snippets from “Violent Python: a Cookbook for Hackers” book to read registry values by a python script.
Data about previously connected wireless networks are stored in "SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged" key. You can access windows registry either through registry editor (Run -> regedit) or by typing “reg query [key]” in command prompt.
The script for querying the mentioned key and printing name and Mac Address of the connected wireless networks is as follows:
#Windows registry forensic from winreg import * def val2addr(val): #Convert the binary value to Mac-Address format addr = '' for ch in val: addr += '%02x '% ch addr = addr.strip(' ').replace(' ', ':')[0:17] return addr def printNets(): net = "SOFTWARE\Microsoft\Windows NT\CurrentVersion"+\ "\\NetworkList\Signatures\\Unmanaged" key = OpenKey(HKEY_LOCAL_MACHINE, net) print('\n[*] Networks You have Joined.') for i in range(100): #printing up to 100 networks try: guid = EnumKey(key, i) netKey = OpenKey(key, str(guid)) (n, addr, t) = EnumValue(netKey, 5) #5th value is the Mac address (n, name, t) = EnumValue(netKey, 4) #4th value is the network’s name macAddr = val2addr(addr) netName = str(name) print('[+] ' + netName + ' ' + macAddr) CloseKey(netKey) except: break def main(): printNets() if __name__ == "__main__": main()
This is not the original Windows registry analysis script from the aforementioned book, because that script was written for Python 2.6 and on 64 bits Windows it was not working at all. To run the script first install python3 for 64 bits windows and then add the Python folder to your PATH environment vaiable(you can do that from Advanced system settings -> Advanced tab -> Environment variables -> Edit PATH variable). After that open command prompt with administrator privilege and type:
Convert SSID to username
EnumValue function is not the only way of retrieving a key value. For example to convert SSIDs, if you’re curious how you can retrieve SSIDs have a look at hidden folders in C:\[RECYCLER]|[Recycled]|[ $Recycle.Bin], to a username you can query "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\[SID]" key from HKEY_LOCAL_MACHINE using QueryValueEx function:
# Windows registry analysis script key = OpenKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" + '\\' + sid) (value, type) = QueryValueEx(key, 'ProfileImagePath') # the value is like %SystemDrive%\Documents and Settings\sina user = value.split('\\')[-1] # to get the ‘sina’ from value we read the text after last \ return user